Temporal Analysis Anomalies with iOS iMessage Communication Exchange Michelle Govan and Kenneth Ovens School of Engineering & Built Environment, Glasgow Caledonian University, Scotland.
[email protected] [email protected] Abstract. The universal adoption of mobile devices provides an abun- dance of data for forensic investigators to extract, analyse, and recon- struct events. Unfortunately, anomalies produce misleading temporal data and other discrepancies which, without proper understanding, can hinder investigations. To ensure more data can be converted into reliable evidentiary material this paper presents a detailed study of an Apple iMessage communication exchange in iOS 7, explaining the occurrence of discrepancies and examining temporal data accuracy. The ability to establish a message origin on a system where multiple devices share a single account is also explored. Keywords: cyber forensics, temporal analysis, iMessage, iOS 1 Introduction The near ubiquitous use of mobile devices has created individual repositories that provide an abundance of data on a user's activities, which in turn provides investigators with potentially rich sources of information that previously may not have existed. However, such information can only become reliable evidence when there is a complete understanding of the data dynamics on devices that provide such data, and there are explanations for any apparent anomalies that arise. With reliable temporal data investigators can begin to reconstruct a chronolog- ical list of events to find out what happened, when it happened, and who was involved [1]. However, temporal data can also be misleading due to poor con- figuration, time-zone differences, daylight saving time, clock drift, or how the operating system and application have been programmed [2].